Lucene search
K

87086 matches found

CVE
CVE
added 2026/04/07 5:8 p.m.11 views

CVE-2026-35575

ChurchCRM (open-source church management) has a Stored XSS in the admin panel’s group-creation feature, prior to version 6.5.3. The vulnerability allows any user with group-creation privileges to inject malicious JavaScript that executes when an administrator views the page, enabling theft of the...

8CVSS5.9AI score0.00243EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/07 5:8 p.m.2 views

EUVD-2026-19773

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS5.9AI score0.00243EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/07 5:8 p.m.17 views

CVE-2026-35575 ChurchCRM has Stored XSS in Group Name

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS0.00243EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:8 p.m.3 views

CVE-2026-35575

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS5.9AI score0.00243EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/07 5:7 p.m.3 views

CVE-2026-33404

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

6.1CVSS5.9AI score0.00145EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 5:6 p.m.5 views

CVE-2026-33403

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface...

6.1CVSS6AI score0.00187EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 5:6 p.m.5 views

CVE-2026-33406

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js,...

6.1CVSS6AI score0.00254EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/07 5:6 p.m.1 views

CVE-2026-35573 ChurchCRM has a Path traversal leads to RCE

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The...

9.1CVSS6.6AI score0.00765EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 5:3 p.m.5 views

CVE-2026-26026

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6...

9.1CVSS5.9AI score0.0037EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 4:56 p.m.18 views

CVE-2026-35610 PolarLearn has a Server Action Admin Bypass in Account Management Actions

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS0.00298EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 4:56 p.m.7 views

CVE-2026-35610

CVE-2026-35610 affects PolarLearn; in 0-PRERELEASE-14 and earlier, the account-management module’s setCustomPassword(userId, password) and deleteUser(userId) used an inverted admin check, allowing authenticated non-admin users to perform these actions and effectively escalating privileges. This i...

8.8CVSS6AI score0.00298EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/04/07 4:56 p.m.4 views

EUVD-2026-19786

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS6AI score0.00298EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 4:56 p.m.0 views

CVE-2026-35610

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS6AI score0.00298EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 4:50 p.m.2 views

CVE-2026-23696 Windmill < 1.603.3 File Ownership Handling SQLi RCE

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signi...

9.9CVSS6.4AI score0.05064EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/07 4:50 p.m.3 views

CVE-2026-23696

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signi...

9.9CVSS6.4AI score0.05064EPSS
Exploits0References7Affected Software2
vulnersOsv
vulnersOsv
added 2026/04/07 4:15 p.m.4 views

admin-auth0 (>=0.1.1 <=0.1.5), aldryn-django (>=4.2.10.0 <=4.2.18.0) +126 more potentially affected by CVE-2026-33033 via django (>=4.2.0 <=4.2.3)

django PYPI version =4.2.0, =0.1.1, =4.2.10.0, =65.10.0, =7.5.1, =1.0.2, =0.0.1, =0.0.9, =1.3.9, =0.4.0, =0.0.1, =4.16.2, =4.8.0, =4.17.1 and more Source cves: CVE-2026-33033 Source advisory: SNYK:PYTHON-DJANGO-15923567...

6.5CVSS5.8AI score0.00689EPSS
Exploits1
Snyk
Snyk
added 2026/04/07 4:14 p.m.3 views

Missing Authorization

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Missing Authorization in the InlineModelAdmin.getformset function. An attacker can gain unauthorized access to add inline model...

9.8CVSS5.9AI score0.00458EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/07 4:14 p.m.7 views

arches (=8.0.0a1), desktop-django-starter (=0.1.0) +33 more potentially affected by CVE-2026-4277 via django (>=6.0.0 <=6.0.3)

django PYPI version =6.0.0, =2.0.0, =1.1.0, =0.1.0, =0.1.0b2, =0.2.0b1 and more Source cves: CVE-2026-4277 Source advisory: SNYK:PYTHON-DJANGO-15923568...

9.8CVSS5.4AI score0.00458EPSS
Exploits0
Snyk
Snyk
added 2026/04/07 4:13 p.m.1 views

Missing Authorization

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Missing Authorization in the admin changelist forms using ModelAdmin.listeditable. An attacker can gain unauthorized access to...

5.3CVSS5.9AI score0.00294EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/07 4:13 p.m.2 views

admin-auth0 (>=0.1.1 <=0.1.5), aldryn-django (>=4.2.10.0 <=4.2.18.0) +126 more potentially affected by CVE-2026-4292 via django (>=4.2.0 <=4.2.3)

django PYPI version =4.2.0, =0.1.1, =4.2.10.0, =65.10.0, =7.5.1, =1.0.2, =0.0.1, =0.0.9, =1.3.9, =0.4.0, =0.0.1, =4.16.2, =4.8.0, =4.17.1 and more Source cves: CVE-2026-4292 Source advisory: SNYK:PYTHON-DJANGO-15923535...

2.7CVSS5.8AI score0.00294EPSS
Exploits0
Rows per page
Query Builder